Friday, April 20, 2012

In this post i will be talking about an integer overflow vulnerability that i have found in Microsoft Incremental Linker (link.exe) of Visual Studio 2008. I am still not aware of any other affected versions.

The integer overflow occurs due to unsafe way of calculating the size of COFF symbol tables embedded in executables.

The "ReadStringsAndSymbols" function is always called to parse the COFF symbol table if the "PointerToSymbolTable" and "NumberOfSymbols" fields of theIMAGE_FILE_HEADERstructure are not null.

The C code for the function in the image above looks something like this.

As you can see in the image above, the "ReadStringsAndSymbols" function calls the "LoadStrings" and "ReadSymbolTableEx" functions. The "LoadStrings" function is prone to an integer overflow when calculating the end address of the symbol table but it is not the one of interest since it is only used in subsequent calls to the "PbMappedRegion" function for ensuring that symbol table is within boundaries of the mapped view of the input file.

The "ReadSymbolTableEx" function calls the "ReadSymbolTableT" function to calculate the absolute address of the symbol table in the mapped view. Upon return of the "ReadSymbolTableT" function, the "ReadSymbolTableEx" function calculates the size of symbol table in an unsafe manner. See the images below.

The size value is then passed to the "AllocBlk" function, which, as its name implies, allocates memory from heap by calling the "RtlAllocateHeap" function. One more thing to mention about the "AllocBlk" function is that if the size value is less than or equal to 0x400 bytes, it allocates 0x400 bytes. For example, if the "NumberOfSymbols" field is 0x8000000C, it will be truncated to 0xF0 and 0x400 bytes will be allocated.

After memory has been allocated, the "ConvertRgImgSymToRgImgSymEx" function is called with the first parameter set to the number of symbols and the second parameter to the address of the newly allocated memory. Inside the "ConvertRgImgSymToRgImgSymEx" function is a loop that copies data to the newly allocated memory.

Carefully choosing the input file size, "PointerToSymbolTable", and "NumberOfSymbols" values, we can easily corrupt the heap in a way that allows code execution.

One important thing to add about this vulnerability is that invoking the famous dumpbin utility shipped with Microsoft Visual Studio always ends up with invoking link.exe (link.exe /dump).